Introduction Assumptions and Goals Architecture Design Details Analysis Implementation and...

NetFence: Preventing Internet Denial of Service from

Inside OutXin Liu, Xiaowei Yang

Dept. of Computer Science, Duke University

Yong XiaNetworking Systems Group, NEC Labs

China

SIGCOMM 2010

A Presentation at Advanced Defence Lab 2

Outline

Introduction Assumptions and Goals Architecture Design Details Analysis Implementation and Evaluation Discussion

A Presentation at Advanced Defence Lab 3

Introduction

A survey from Arbor Networks shows that DoS attacks continue to grow in both scale and sophistication.(2009)

A Presentation at Advanced Defence Lab 4

A Presentation at Advanced Defence Lab 5

Today’s Research

There have been several proposals addressing this challenge.

But …

the best defense mechanism these systems can offer is per-host queuing at the flooded link to separate legitimate traffic from attack traffic.

TCP

D oS

A Presentation at Advanced Defence Lab 6

Assumptions and Goals

Threat Model› Flood-based network attacks› Strong adversary

Victim

A Presentation at Advanced Defence Lab 7

Assumptions and Goals (cont.)

Assumptions› Trust

We assume that routers managed by the network are much less likely to be compromised than end systems.

› Line-speed lightweight cryptography Some current hardware can support AES

operations at 40Gbps. Intel AES Instructions Set[link]

A Presentation at Advanced Defence Lab 8

Assumptions and Goals (cont.)

Goals› Guaranteed network resource fair share› Open network› Scalable and lightweight

low communication, computation, and memory overhead

› Incrementally adoptable› Network self-reliant defense

Our hypothesis is that extra dependencies increase security risk and may create deployment deadlocks.

A Presentation at Advanced Defence Lab 9

Architecture

A Presentation at Advanced Defence Lab 10

Packet Type

NetFence has three types of packets: request packets, regular packets, and legacy packets.› The first two have a shim NetFence header

between their IP and upper-layer protocol headers.

A Presentation at Advanced Defence Lab 11

Design Details

Congestion policing feedback› nop: indicating no policing action is

needed.› mon: indicating the connection must be

monitored. L ↑ or L ↓: indicating the link L is overloaded

or underloaded.

A Presentation at Advanced Defence Lab 12

Protecting the Request Channel

It limits the request channel on any link to a small fraction (5%) of the link’s capacity.

It combines packet prioritization and priority-based rate limiting› the sender is limited to send level-k

packets at half of the rate of level-(k-1) packets

A Presentation at Advanced Defence Lab 13

Protecting the Regular Channel

Monitoring cycle› When a router suspects that its outgoing link L is

under attack, it starts a monitoring cycle for L The router’s average utilization The average loss rate p (using EWMA algorithm[

link]) and the threshold pth

› It marks L as in the mon state

A Presentation at Advanced Defence Lab 14

Updating Congestion Policing Feedback

If the packet carries nop, stamp L↓.

Otherwise, if the packet carries L’ ↓ stamped by an upstream link L’, do nothing.

Otherwise, if L is overloaded, stamp L↓.

A Presentation at Advanced Defence Lab 15

Regular Packet Policing at Access Routers

We implement a rate limiter as a queue whose de-queuing rate is the rate limit, similar to a leaky bucket.› use the queue to absorb traffic bursts

A Presentation at Advanced Defence Lab 16

Robust Rate Limit Adjustment

The L↑ and L↓ feedback enables an access router to adjust a rate limiter (src,L)’s rate limit rlim with an AIMD algorithm.

A Presentation at Advanced Defence Lab 17

Robust Rate Limit Adjustment (cont.)

However, a malicious sender can manipulate this design by hiding the L ↓ feedback to prevent its rate limit from decreasing.

So…

A Presentation at Advanced Defence Lab 18

Robust Rate Limit Adjustment (cont.)

For each rate limiter (src,L), the access router Ra keeps two state variables: ts and hasIncr.› If hasIncr is true, Ra compares the

throughput of the rate limiter with 1/2 rlim.

› Otherwise, Ra will decrease rlim to (1 −δ )rlim.

A Presentation at Advanced Defence Lab 19

Securing Congestion Policing Feedback

Feedback format

Stamping nop feedback› ),,,,( noplinktsdstsrcMACtocken nullKnop a

A Presentation at Advanced Defence Lab 20

Securing Congestion Policing Feedback (cont.)

Stamping L↑ feedback›

› Also inserts a tokennop into the tokennop field.

Stamping L ↓ feedback›

› The router Rb erases tokennop field afterwards to prevent malicious downstream routers from overwriting its feedback

),,,,,( incrmonLtsdstsrcMACtockenaKL

),,,,,,( nopKLtockendecrmonLtsdstsrcMACtocken

ai

A Presentation at Advanced Defence Lab 21

Securing Congestion Policing Feedback (cont.)

Validating feedback› A feedback is considered invalid if its ts

field is more than w seconds older than the access router’s local time tnow: |tnow − ts| > w, or if the MAC field has an invalid signature.

A Presentation at Advanced Defence Lab 22

Localizing Damage of Compromised Routers

A NetFence router can take several approaches to localize the damage of compromised ASes, if its congestion persists after it has started a monitoring cycle, a signal of malfunctioning access routers.

A Presentation at Advanced Defence Lab 23

Localizing Damage of Compromised Routers (cont.)

All approaches require a router to correctly identify a packet’s source AS, which can be achieved using an IP-to-AS mapping tool if the packet’s source IP address is not spoofed.

NetFence uses Passport to prevent source address spoofing.

IP Header Passport Payload

A Presentation at Advanced Defence Lab 24

Parameter Settings

A Presentation at Advanced Defence Lab 25

Parameter Settings (cont.)

A request packet size is estimated as 92 bytes that includes a 40-byte TCP/IP header, a 28-byte NetFence header and a 24-byte Passport header.

We set the attack detection threshold pth to 2%, since at this packet loss rate, a TCP flow with 200ms RTT and 1500B packets can obtain about 500Kbps throughput

A Presentation at Advanced Defence Lab 26

Analysis - Scalability

As a closed-loop design, NetFence can place different functions at different locations to provide per-sender fairness.

We think 100 links per legitimate sender is a reasonable upper bound.› If an access router serves 10K end hosts.› The total amount of memory requirement is less

than 2GB.› The per-packet processing time on our

benchmarking PC is less than 1.3μs during attack times. This translates into a throughput more than 9Gbps

A Presentation at Advanced Defence Lab 27

Analysis - Security

Malicious End Systems› Forgery or Tampering

MAC and robust AIMD

› Evading attack detection Packet loss rate p

› On-off attacks prolonged monitor cycle

A Presentation at Advanced Defence Lab 28

Analysis – Security (cont.)

Malicious On-path Routers› A malicious router downstream to a

congested link may attempt to remove or modify the L ↓ feedback. MAC

› A malicious on-path router may discard packets to completely disrupt end-to-end communications, duplicate packets, or increase packet sizes to congest downstream links. Passport

A Presentation at Advanced Defence Lab 29

Analysis - Incremental Deployment

Routers at congested links and access routers need to be upgraded, but well-provisioned routers that can withstand tens of Gbps attack traffic may not need to upgrade.

A Presentation at Advanced Defence Lab 30

Implementation and Evaluation

A Presentation at Advanced Defence Lab 31

Micro-benchmarking We have implemented NetFence in

Linux using XORP [link] and Click [link]. We benchmark the Linux

implementation on Deterlab [link] with a three-node testbed.

A---B--{5Mbp}—C› Send 100Kbps UDP request and 1Mbps

UDP regular› 1 Mbps UDP req and 10Mbps UDP reg for

DoS

A Presentation at Advanced Defence Lab 32

Micro-benchmarking

A Presentation at Advanced Defence Lab 33

Mitigating DoS Flooding Attacks

Using ns-2 simulations Compare with other solutions

› TVA+ Uses network capabilities and per-host fair

queuing to defend against DoS flooding attacks.

› StopIt StopIt is a filter and fair queuing based DoS

defense system.› Fair Queuing

A Presentation at Advanced Defence Lab 34

Mitigating DoS Flooding Attacks

Unwanted Traffic Flooding Attacks

victim

1 legitimate and 99 attacker

Rbl Rbr

A Presentation at Advanced Defence Lab 35

Mitigating DoS Flooding Attacks (cont.)

A Presentation at Advanced Defence Lab 36

Mitigating DoS Flooding Attacks (cont.)

Colluding Attacks› Single Bottleneck

victim

25% legitimate Rbl Rbr

10 ASes

A Presentation at Advanced Defence Lab 37

Single Bottleneck

Two metrics› Throughput Ratio, the ratio between the

average throughput of a legitimate user and that of an attacker

› Fairness Index among legitimate users. Let xi denote a legitimate sender i’s throughput, and the fairness index is defined as (Σ xi)2/(n Σ xi

2 ).

A Presentation at Advanced Defence Lab 38

Single Bottleneck (cont.)

A Presentation at Advanced Defence Lab 39

Multiple Bottlenecks (In Technical Report)

A

B

C

CL1

CL2

A Presentation at Advanced Defence Lab 40

Multiple Bottlenecks (cont.)

A Presentation at Advanced Defence Lab 41

Multiple Bottlenecks (cont.)

Multi-bottleneck feedback in a NetFence header

A Presentation at Advanced Defence Lab 42

Strategic Attacks (On-off Attack)

A Presentation at Advanced Defence Lab 43

Discussion

Fair Share Bound› O( C/(G+B) )

Congestion Quota› If we assume legitimate users have limited

traffic demand while attackers aim to persistently congest a bottleneck link, we can further weaken a DoS flooding attack by imposing a congestion quota.

A Presentation at Advanced Defence Lab 44

Discussion

Convergence Speed› It may take a relatively long time (e.g.,

100s-200s) for NetFence to converge to fairness.

Equal Cost Multiple Path› NetFence assumes that a flow’s path is

relatively stable and the bottleneck links on the path do not change rapidly.